move auth tests into separate behat suite

.drone.yml

@@ -774,6 +774,17 @@ matrix:
       OWNCLOUD_LOG: true
       INSTALL_TESTING_APP: true
 
+    - PHP_VERSION: 7.1
+      TEST_SUITE: api
+      BEHAT_SUITE: apiAuth
+      DB_TYPE: mariadb
+      USE_SERVER: true
+      SERVER_PROTOCOL: https
+      INSTALL_SERVER: true
+      CHOWN_SERVER: true
+      OWNCLOUD_LOG: true
+      INSTALL_TESTING_APP: true
+
     - PHP_VERSION: 7.1
       TEST_SUITE: api
       BEHAT_SUITE: apiCapabilities

tests/acceptance/config/behat.yml

@@ -20,6 +20,12 @@ default:
         - OccContext:
         - TransferOwnershipContext:
 
+    apiAuth:
+      paths:
+        - '%paths.base%/../features/apiAuth'
+      contexts:
+        - FeatureContext: *common_feature_context_params
+
     apiCapabilities:
       paths:
         - '%paths.base%/../features/apiCapabilities'

tests/acceptance/features/apiAuth/filesAppAuth.feature

@@ -0,0 +1,39 @@
+@api @TestAlsoOnExternalUserBackend
+Feature: auth
+
+  Background:
+    Given user "user0" has been created with default attributes
+    And a new client token for "user0" has been generated
+
+  @smokeTest
+  Scenario: access files app anonymously
+    When a user requests "/index.php/apps/files" with "GET" and no authentication
+    Then the HTTP status code should be "401"
+
+  @smokeTest
+  Scenario: access files app with basic auth
+    When user "user0" requests "/index.php/apps/files" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+
+  @smokeTest
+  Scenario: access files app with basic token auth
+    When user "user0" requests "/index.php/apps/files" with "GET" using basic token auth
+    Then the HTTP status code should be "200"
+
+  @smokeTest
+  Scenario: access files app with a client token
+    When the user requests "/index.php/apps/files" with "GET" using the generated client token
+    Then the HTTP status code should be "200"
+
+  @smokeTest
+  Scenario: access files app with browser session
+    Given a new browser session for "user0" has been started
+    When the user requests "/index.php/apps/files" with "GET" using the browser session
+    Then the HTTP status code should be "200"
+
+  @smokeTest
+  Scenario: access files app with an app password
+    Given a new browser session for "user0" has been started
+    And the user has generated a new app password named "my-client"
+    When the user requests "/index.php/apps/files" with "GET" using the generated app password
+    Then the HTTP status code should be "200"

tests/acceptance/features/apiAuth/ocsDELETEAuth.feature

@@ -0,0 +1,34 @@
+@api @TestAlsoOnExternalUserBackend
+Feature: auth
+
+  Background:
+    Given user "user0" has been created with default attributes
+    And a new client token for "user0" has been generated
+
+  @issue-32068
+  Scenario Outline: send DELETE requests to OCS endpoints as admin with wrong password
+    Given using OCS API version "<ocs_api_version>"
+    And group "group1" has been created
+    When the administrator sends HTTP method "DELETE" to OCS API endpoint "<endpoint>" using password "invalid"
+    Then the OCS status code should be "<ocs-code>"
+    And the HTTP status code should be "<http-code>"
+    Examples:
+      | ocs_api_version |endpoint                                             | ocs-code | http-code |
+      | 1               |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997      | 401       |
+      | 2               |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997      | 401       |
+      | 1               |/apps/files_sharing/api/v1/remote_shares/123         | 997      | 401       |
+      | 2               |/apps/files_sharing/api/v1/remote_shares/123         | 997      | 401       |
+      | 1               |/apps/files_sharing/api/v1/shares/123                | 997      | 401       |
+      | 2               |/apps/files_sharing/api/v1/shares/123                | 997      | 401       |
+      | 1               |/apps/files_sharing/api/v1/shares/pending/123        | 997      | 401       |
+      | 2               |/apps/files_sharing/api/v1/shares/pending/123        | 997      | 401       |
+      | 1               |/cloud/apps/testing                                  | 997      | 401       |
+      | 2               |/cloud/apps/testing                                  | 997      | 401       |
+      | 1               |/cloud/groups/group1                                 | 997      | 401       |
+      | 2               |/cloud/groups/group1                                 | 997      | 401       |
+      | 1               |/cloud/users/user0                                   | 997      | 401       |
+      | 2               |/cloud/users/user0                                   | 997      | 401       |
+      | 1               |/cloud/users/user0/groups                            | 997      | 401       |
+      | 2               |/cloud/users/user0/groups                            | 997      | 401       |
+      | 1               |/cloud/users/user0/subadmins                         | 997      | 401       |
+      | 2               |/cloud/users/user0/subadmins                         | 997      | 401       |

tests/acceptance/features/apiMain/auth.feature → tests/acceptance/features/apiAuth/ocsGETAuth.feature

@@ -1,70 +1,9 @@
 @api @TestAlsoOnExternalUserBackend
 Feature: auth
-
   Background:
     Given user "user0" has been created with default attributes
     And a new client token for "user0" has been generated
 
-	# FILES APP
-  @smokeTest
-  Scenario: access files app anonymously
-    When a user requests "/index.php/apps/files" with "GET" and no authentication
-    Then the HTTP status code should be "401"
-
-  @smokeTest
-  Scenario: access files app with basic auth
-    When user "user0" requests "/index.php/apps/files" with "GET" using basic auth
-    Then the HTTP status code should be "200"
-
-  @smokeTest
-  Scenario: access files app with basic token auth
-    When user "user0" requests "/index.php/apps/files" with "GET" using basic token auth
-    Then the HTTP status code should be "200"
-
-  @smokeTest
-  Scenario: access files app with a client token
-    When the user requests "/index.php/apps/files" with "GET" using the generated client token
-    Then the HTTP status code should be "200"
-
-  @smokeTest
-  Scenario: access files app with browser session
-    Given a new browser session for "user0" has been started
-    When the user requests "/index.php/apps/files" with "GET" using the browser session
-    Then the HTTP status code should be "200"
-
-  @smokeTest
-  Scenario: access files app with an app password
-    Given a new browser session for "user0" has been started
-    And the user has generated a new app password named "my-client"
-    When the user requests "/index.php/apps/files" with "GET" using the generated app password
-    Then the HTTP status code should be "200"
-
-	# WebDAV
-
-  Scenario: using WebDAV anonymously
-    When a user requests "/remote.php/webdav" with "PROPFIND" and no authentication
-    Then the HTTP status code should be "401"
-
-  Scenario: using WebDAV with basic auth
-    When user "user0" requests "/remote.php/webdav" with "PROPFIND" using basic auth
-    Then the HTTP status code should be "207"
-
-  Scenario: using WebDAV with token auth
-    When user "user0" requests "/remote.php/webdav" with "PROPFIND" using basic token auth
-    Then the HTTP status code should be "207"
-
-	# DAV token auth is not possible yet
-	#Scenario: using WebDAV with a client token
-	#	When requesting "/remote.php/webdav" with "PROPFIND" using a client token
-	#	Then the HTTP status code should be "207"
-
-  Scenario: using WebDAV with browser session
-    Given a new browser session for "user0" has been started
-    When the user requests "/remote.php/webdav" with "PROPFIND" using the browser session
-    Then the HTTP status code should be "207"
-
-
-	# OCS
   @issue-32068
   Scenario Outline: using OCS anonymously
     When a user requests "<endpoint>" with "GET" and no authentication

tests/acceptance/features/apiAuth/ocsPOSTAuth.feature

@@ -0,0 +1,40 @@
+@api @TestAlsoOnExternalUserBackend
+Feature: auth
+
+  Background:
+    Given user "user0" has been created with default attributes
+    And a new client token for "user0" has been generated
+
+  @issue-32068
+  Scenario Outline: send POST requests to OCS endpoints as normal user with wrong password
+    Given using OCS API version "<ocs_api_version>"
+    And user "user1" has been created with default attributes
+    When user "user0" sends HTTP method "POST" to OCS API endpoint "<endpoint>" with body using password "invalid"
+      | data        | doesnotmatter |
+    Then the OCS status code should be "<ocs-code>"
+    And the HTTP status code should be "<http-code>"
+    Examples:
+      | ocs_api_version |endpoint                                             | ocs-code | http-code |
+      | 1               |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997      | 401       |
+      | 2               |/apps/files_sharing/api/v1/remote_shares/pending/123 | 997      | 401       |
+      | 1               |/apps/files_sharing/api/v1/shares                    | 997      | 401       |
+      | 2               |/apps/files_sharing/api/v1/shares                    | 997      | 401       |
+      | 1               |/apps/files_sharing/api/v1/shares/pending/123        | 997      | 401       |
+      | 2               |/apps/files_sharing/api/v1/shares/pending/123        | 997      | 401       |
+      | 1               |/cloud/apps/testing                                  | 997      | 401       |
+      | 2               |/cloud/apps/testing                                  | 997      | 401       |
+      | 1               |/cloud/groups                                        | 997      | 401       |
+      | 2               |/cloud/groups                                        | 997      | 401       |
+      | 1               |/cloud/users                                         | 997      | 401       |
+      | 2               |/cloud/users                                         | 997      | 401       |
+      | 1               |/cloud/users/user0/groups                            | 997      | 401       |
+      | 2               |/cloud/users/user0/groups                            | 997      | 401       |
+      | 1               |/cloud/users/user0/subadmins                         | 997      | 401       |
+      | 2               |/cloud/users/user0/subadmins                         | 997      | 401       |
+      | 1               |/person/check                                        | 101      | 200       |
+      | 2               |/person/check                                        | 400      | 400       |
+      | 1               |/privatedata/deleteattribute/testing/test            | 997      | 401       |
+      | 2               |/privatedata/deleteattribute/testing/test            | 997      | 401       |
+      | 1               |/privatedata/setattribute/testing/test               | 997      | 401       |
+      | 2               |/privatedata/setattribute/testing/test               | 997      | 401       |
+

tests/acceptance/features/apiAuth/ocsPUTAuth.feature

@@ -0,0 +1,25 @@
+@api @TestAlsoOnExternalUserBackend
+Feature: auth
+
+  Background:
+    Given user "user0" has been created with default attributes
+    And a new client token for "user0" has been generated
+
+  @issue-32068
+  Scenario Outline: send PUT requests to OCS endpoints as admin with wrong password
+    Given using OCS API version "<ocs_api_version>"
+    When the administrator sends HTTP method "PUT" to OCS API endpoint "<endpoint>" with body using password "invalid"
+      | data        | doesnotmatter |
+    Then the OCS status code should be "<ocs-code>"
+    And the HTTP status code should be "<http-code>"
+    Examples:
+      | ocs_api_version |endpoint                              | ocs-code | http-code |
+      | 1               |/cloud/users/user0                    | 997      | 401       |
+      | 2               |/cloud/users/user0                    | 997      | 401       |
+      | 1               |/cloud/users/user0/disable            | 997      | 401       |
+      | 2               |/cloud/users/user0/disable            | 997      | 401       |
+      | 1               |/cloud/users/user0/enable             | 997      | 401       |
+      | 2               |/cloud/users/user0/enable             | 997      | 401       |
+      | 1               |/apps/files_sharing/api/v1/shares/123 | 997      | 401       |
+      | 2               |/apps/files_sharing/api/v1/shares/123 | 997      | 401       |
+

tests/acceptance/features/apiAuth/webDavAuth.feature

@@ -0,0 +1,28 @@
+@api @TestAlsoOnExternalUserBackend
+Feature: auth
+
+  Background:
+    Given user "user0" has been created with default attributes
+    And a new client token for "user0" has been generated
+
+  Scenario: using WebDAV anonymously
+    When a user requests "/remote.php/webdav" with "PROPFIND" and no authentication
+    Then the HTTP status code should be "401"
+
+  Scenario: using WebDAV with basic auth
+    When user "user0" requests "/remote.php/webdav" with "PROPFIND" using basic auth
+    Then the HTTP status code should be "207"
+
+  Scenario: using WebDAV with token auth
+    When user "user0" requests "/remote.php/webdav" with "PROPFIND" using basic token auth
+    Then the HTTP status code should be "207"
+
+	# DAV token auth is not possible yet
+	#Scenario: using WebDAV with a client token
+	#	When requesting "/remote.php/webdav" with "PROPFIND" using a client token
+	#	Then the HTTP status code should be "207"
+
+  Scenario: using WebDAV with browser session
+    Given a new browser session for "user0" has been started
+    When the user requests "/remote.php/webdav" with "PROPFIND" using the browser session
+    Then the HTTP status code should be "207"